Analytics Series
Vol.1 No6.:
Legal, Risk
and Ethical
Aspects of
Analytics in
Higher Education
By David Kay (Sero Consulting), Naomi Korn
and Professor Charles Oppenheim
CETIS Analytics Series ISSN 2051-9214
Produced by CETIS for JISC
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Legal, Risk and Ethical Aspects of Analytics in Higher Education
David Kay (Sero Consulting Ltd) with input from Naomi Korn Consultancy & Professor Charles
Oppenheim
Table of Contents
1.
2.
3.
4.
5.
6.
Executive Summary .................................................................................................................................. 4
1.1
Scope ..................................................................................................................................................... 4
1.2
Corporate Considerations .......................................................................................................................... 4
1.3
The Data and The Law.............................................................................................................................. 5
1.4
Ethical Dimensions ................................................................................................................................... 5
1.5
Guiding Principles .................................................................................................................................... 6
Context ................................................................................................................................................... 7
2.1
This Report ............................................................................................................................................. 7
2.2
Higher Education Interest .......................................................................................................................... 7
2.3
Legal and Ethical Context .......................................................................................................................... 8
Use Cases ............................................................................................................................................... 9
3.1
Data Sources ........................................................................................................................................... 9
3.2
Service Scenarios .................................................................................................................................... 9
Legal Considerations .............................................................................................................................. 11
4.1
Data Protection Act (DPA) ....................................................................................................................... 11
4.2
Confidentiality and Consent Management ................................................................................................. 13
4.3
Freedom of Information (FoI) ................................................................................................................... 13
4.4
Intellectual Property Rights (IPR) ............................................................................................................. 14
4.5
Licensing for Reuse ................................................................................................................................ 15
4.6
Legal considerations at a glance .............................................................................................................. 15
Consent - Opt in or opt out? .................................................................................................................... 17
5.1
Strategies.............................................................................................................................................. 17
5.2
Ramifications ......................................................................................................................................... 18
5.3
Shared Services..................................................................................................................................... 19
Ethical Dimensions ................................................................................................................................. 19
6.1
Considerations ....................................................................................................................................... 19
2
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
7.
6.2
Ethics and Research Practice .................................................................................................................. 20
6.3
Business and Consumer Practice ............................................................................................................. 22
6.4
Brave New World ................................................................................................................................... 25
6.5
6Does domain or application make a difference?........................................................................................ 26
6.6
Guiding Principles .................................................................................................................................. 27
References ............................................................................................................................................ 28
3
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
1. Executive Summary
1.1 SCOPE
The collection, processing and retention of data for analytical purposes has become commonplace in modern business, and
consequently the associated legal considerations and ethical implications have also grown in importance. Who really owns
this information? Who is ultimately responsible for maintaining it? What are the privacy issues and obligations? What
practices pose ethical challenges?
This paper in the CETIS Analytics series covers legal, ethical and related management issues surrounding analytics in the
context of teaching, learning and research and their underlying business processes. It is based on current UK law, set in the
context of publicly funded Further and Higher Education and their mission. With a primary focus on personal data, it
considers the rights and expectations of the data subjects (students, researchers, employees) and the responsibilities of
institutions, above campus services, suppliers and funders.
1.2 CORPORATE CONSIDERATIONS
The types of personal data under consideration may have been collected for some years in a variety of IT systems, yet
largely not utilised for analytical purposes. However, there are now compelling motivations driving the development of
analytics capabilities in the sector:
 Responses to economic and competitive pressures may be derived from business intelligence.
 Analytics practice is strongly linked to modern enterprise management.
 Users, especially born digital generations, appear increasingly to expect personalised services that are responsive to
profile, need and interest and are therefore more likely to be content for their data to be used to those ends.
In considering the collection and processing of such data, institutions need to balance risks and rewards with legal and policy
obligations as well as with the expectations of their community:
 Aligning use of personal activity data and business intelligence with their overall mission and motives.
 Weighing the benefits and costs of putting in place policies, procedures and tools for organisational legal and risk
compliance.
 Adapting governance frameworks and developing staff awareness to cover the responsibilities relating to such data.
 Taking account of capture and exploitation of student or researcher activity data outside direct corporate controls by
individual academics and service providers including shared services.
However, exercise of due diligence is hampered by the speed of developments in the online world and the p ressure not to be
left behind as institutions compete for students and for research funding.
 The level of legal ‘maturity’; There is a lack of precedent to indicate the application of the law in the digital environment
and therefore there remains uncertainty about legal interpretation.
 Comparable ethical settings; Bearing in mind therefore that practice and precedent in education is relatively underdeveloped, useful exemplars might be found in research and medical ethics and in retail and online consumer services;
however, there remains an underlying question as to whether education is in some respects special.
4
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
1.3
THE DATA AND THE LAW
The factors described above can serve to generate a degree of fear, uncertainly and doubt, even given the opportunity to
apply legal assessments and ethical principles backed confidently elsewhere in society. It is in the light of such expectation s
that this paper explores legal considerations, highlighting issues and mitigations that will enable institutions to progress their
use of analytics whilst managing risk to the benefit of the individual, the institution and the wider mission of education.
The legal and ethical considerations relating to analytics are focused on personal data processed by or on behalf of the
institution. Whilst other corporate data, in areas such as financials or estates, present their own technical, operational and
interpretative challenges, they do not raise such immediate legal and ethical issues relating to individuals. Such personal
data of analytical value may range from formal transactions to involuntary data exhaust (such as building access, system
logins, keystrokes and click streams). The data can be derived from a range of systems:




Recorded activity; student records, attendance, assignments, researcher information (CRIS).
Systems interactions; VLE, library / repository search, card transactions.
Feedback mechanisms; surveys, customer care.
External systems that offer reliable identification such as sector and shared services and social networks.
Under UK law, the practice of analytics, especially with reference to personal data, should be considered under the headings
of Data Protection, Confidentiality & Consent, Freedom of Information, Intellectual Property Rights and Licensing for Reuse.
In the light of the legislation and the guidance of the Information Commissioner, and subject to adoption of good data
governance, training and active risk management, this paper reflects on low levels of risk and proposes responsible
mitigation in keeping with the reputation, mission and business imperatives of the sector.
1.4 ETHICAL DIMENSIONS
Given the education mission and associated governance responsibilities, broad ethical considerations are crucial regardless
of legal obligation. This impacts broad considerations and concerns about the use of personal data, as well as the specific
uses involved in analytics.




Variety of data - principles for collection, retention and exploitation.
Education mission - underlying issues of learning management, including social and performance engineering.
Motivation for development of analytics – mutuality, a combination of corporate, individual and general good.
Customer expectation – effective business practice, social data expectations, cultural considerations of a global
customer base.
 Obligation to act – duty of care arising from knowledge and the consequent challenges of student and employee
performance management.
We compare these considerations with the experience and resulting norms in the research, consumer and social network
domains. Research ethics provide a valuable basis for thinking about the issues raised by analytics, with the added
advantage of recognition within the educational community. The practice adopted by leading business to consumer players
provides a clear and legally grounded approach that is likely to be readily understood by the public in much of the world.
More radically, some commentators emphasise the imperative to review and even to revise ethical considerations on
account of the increasingly widespread adoption of online transaction with its associated activity-based and social feedback
loops. In this ‘brave new world’ there is a will, even a presumption of necessity, to trade privacy for other benefits within the
new social economy. However, others such as Keen (‘Digital Vertigo’) and Lanier (‘You are not a Gadget’), have pointed to
the personal and societal downsides of an online data-driven culture.
5
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Furthermore there is danger in assuming that ethical considerations are universal and therefore promoting the transferability
of norms across cultural and domain boundaries – in this case adopting norms established about the use of personal data for
analytical purposes in domains such as research, consumer services and social networks.
So the challenge is whether the education community, not least in the emerging field of learning analytics, should revise its
ethical position on account of the changing attitudes and expectations in the digital realm with which learners and
researchers are increasingly associated. At the very least, even if ethical norms are not immutable or self-evident, practice in
other sectors suggests candidate approaches.
1.5 GUIDING PRINCIPLES
As Voltaire’s Candide might have reflected, we are faced with the imperative to seek out the ‘best of all possible worlds’:
 In assuring educational benefits, not least supporting student progression, maximising employment prospects and
enabling personalised learning, it is incumbent on institutions to adopt key principles from research ethics.
 As businesses, post-compulsory educational institutions are facing the same business drivers and globalised
competitive pressures as any organisation in the consumer world.
 To satisfy expectations of the ‘born digital’ / ‘born social’ generations, there is a likely requirement to take on ethical
considerations, which may run contrary to the sensibilities of previous generations, especially in respect of the trade -off
between privacy and service.
Notwithstanding these tensions, we conclude that there are common principles that provide for good practice:
 Clarity, open definition of purpose, scope and boundaries, even if that is broad and in some respects open-ended.
 Comfort and care, consideration for both the interests and the feelings of the data subject and vigilance regarding
exceptional cases.
 Choice and consent, informed individual opportunity to opt-out or opt-in.
 Consequence and complaint, recognition that there may be unforeseen consequences and therefore providing
mechanisms for redress.
6
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
2. Context
2.1 THIS REPORT
This paper in the CETIS Analytics Series covers legal, ethical and related management issues surrounding the generation,
use and sharing of analytics data in the context of teaching, learning and research and the underlying business processes.
The report is;
 Based on current UK law.
 Set in the context of publicly funded Further and Higher Education and its mission.
 Focused on the collection, control and processing of personal data, which is a strong focus of the law and which raises
particular ethical considerations, both general and educational.
The report takes account of the implications for the wide range of ‘actors’ involved:
 Rights and expectations of the data subjects – students and their parents / carers, researchers, employees.
 Responsibilities of the supply side - institutions, above campus services, their employees and their functions (for
example, teaching, research, registry, finance, quality, marketing, planning, estates).
 Implications for unions, professional associations, vendors / suppliers and funders.
2.2 HIGHER EDUCATION INTEREST
The types of personal data under consideration may have been collected for some years by many institutions in a variety of
IT systems, ranging from registry to access control. Typically, such data has not however been used for analytical purposes
and may largely have been un-utilised.
However, there are currently compelling motivations to look at the development of analytics capabilities in the sector:
 Responses to economic and competitive pressures may be derived from business intelligence, analytics drawing on a
wide range of data available within and beyond the institution.
 Agility of analysis is essential, as the cascade of questions that might be asked within the institution and by third
parties is not predictable.
 Use of analytics is expected as good practice in modern enterprise management.
 Sector customers, especially born digital generations, may also expect that good businesses will deliver intelligent
personalised services that are responsive to profile, need and interest and are therefore content for their data to be
used to those ends.
 Accessible and affordable IT tools now exist not only to organise and to store this large scale data but also to visualize
the patterns and trends it contains.
 The unpredictability of questions to be answered by the data implies that it may be counter-productive to perform
aggregations motivated by current understanding of the analytical narrative. Aggregations almost certainly impose
downstream analytical limitations (for example aggregation typically loses the time precision and may also loose other
contextual identifiers). However, storage of raw data raises both legal and ethical concerns.
7
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
2.3 LEGAL AND ETHICAL CONTEXT
In considering the collection and processing of such data, institutions will need to balance the risks and rewards of using this
data, with legal and policy obligations.1
However, such a process of due diligence is hampered by the speed of developments in the online world and the pressure
not to be left behind as institutions compete for students and for research funding.
 Level of legal ‘maturity’; there is a lack of precedent and therefore of case law to indicate the application of the law in
the current digital environment; the law (for example, the Data Protection Act 1998) was not specifically designed to
accommodate emerging practice in social media, online retail and comparison services and therefore there remains
uncertainty about interpretation in the absence of case law.
 Comparable ethical settings; bearing in mind therefore that practice and precedent in education is relatively underdeveloped, it may be useful to look for lessons in other comparable sectors with well-articulated positions regarding
consent and customer care. Useful exemplars might be found in research and medical ethics and in retail and online
consumer services.
 Education is different; there remains an underlying question as to whether education is in some respects special;
regardless of legality, it might be suggested that education is, from the perspective of its own practitioners, ethically
more sensitive than other sectors.
These factors can serve to generate a degree of fear, uncertainly and doubt, even given the opportunity to apply legal
assessments and ethical principles backed confidently elsewhere in society. Indeed, it might be argued that educational legal
counsel and established academics provide a mutual reinforcement that is least likely to depart from custom and established
practice. However, the new economics of education, the expectations of born digital students and new pedagogies (e.g.
geared to personalisation and Massively Open Online Courses [1]) may represent an undeniable tipping point.
It is in the light of such expectations that this paper explores legal and ethical considerations, highlighting issues and
mitigations that will enable Further and Higher Education institutions to progress their use of analytics whilst managing ris k to
the benefit of the individual, the institution and the wider mission of education.
1
The investigation undertaken by the University of Edinburgh usefully addresses these considerations -
http://edina.ac.uk/projects/Using_OpenURL_Activity_Data_Initial_Investigation_2011.pdf
8
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
3. Use Cases
The legal and ethical considerations relating to analytics are focused on personal data processed by, or on behalf of, the
institution. Whilst other corporate data, in areas such as financials or estates, present their own technical, operational an d
interpretative challenges, they do not raise such immediate legal and ethical issues relating to individuals.
This section seeks to exemplify the types of data and the modes of collection and of processing that relate to personal data.
3.1
DATA SOURCES
Personal data of analytical value may range from formal transactions (such as assignment submissions) to involuntary data
exhaust (such as building access, system logins, keystrokes and click streams).
The data can be derived from a range of institutional systems sources; for example:
 Recorded activity - student records, lecture attendance, assignment submission, research publication, researcher
information (CRIS).
 Systems Interactions - VLE, library / repository search.
 Card-based transactions - student / staff card, library card.
 Feedback mechanisms - surveys, customer care.
 General access - to anything digitally controlled through IT systems, such as buildings.
The same individuals could be tracked in any external systems that offer some form of reliable identification such as:
 Above campus shared and sector services ;e.g. Copac, Jorum, HESA, SCONUL Access, UCAS.
 Social networks; e.g. Facebook, Foursquare, LinkedIn, Twitter.
3.2 SERVICE SCENARIOS
Regardless of the type of data or the source application, there is a common range of Use Cases that characterise the service
scenarios in which the collection and subsequent control and utilisation of the data take place, as presented below.
For each of these cases, and for any other variants, it is important to understand the following responsibilities, so that issues
raised can be considered and where necessary, suitably mitigated:
 Legally - under the law (generally, not just for the purposes of the Data Protection Act), who is the data collector?
 Ethically – regardless of the defensible legal position, what responsibility does the institution or sector service have?
This is especially important in the case of above campus and outsourced services.
Whilst our six use cases will often be combined in the flow of analytics activity, it is useful to consider the key legal issues for
each individually:
9
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Use Case
Examples
Main Legal Issues – see Sections
4.1-5
UC1
Institution
processing raw
data collected
upstream.
Use of the university hash
tag on Twitter.
4.1 Data Protection
4.2 Confidentiality and Consent
4.3 FoI
4.4 IPR
UC2
Institution using
data collected
and processed
upstream.
Data supplied by UCAS –
which may or may not have
been anonymised and / or
aggregated.
4.1 Data Protection
4.2 Confidentiality and Consent
4.3 FoI
4.4 IPR
UC3
Institution as
Collector using
data collected
from internal
systems.
Data used for institutional
purposes, such as library
resource management or
help desk staffing, course
re-design.
Data used for personal
purposes, such as learning
support, personalisation,
advice and guidance.
4.1 Data Protection
4.2 Confidentiality and Consent
4.3 FoI
UC4
Institution as
Collector
supplying its data
to its subject for
personal use.
Data supplied in a transfer
format or through an API;
there are no known current
examples but it is a likely
future use case that falls
within a logical view of the
data subject’s rights,
especially in a lifelong
learning context.
4.1 Data Protection
4.2 Confidentiality and Consent
4.5 Licensing
UC5
The Collector
sharing its data
with other parties
– notably with
partners, vendors
or customers.
Collection as a franchise
operator supplying data to
the franchise ‘licensor’.
4.1 Data Protection
4.2 Confidentiality and Consent
4.3 FoI
4.5 Licensing
4.1 Data Protection
4.2 Confidentiality and Consent
4.3 FoI
4.4 IPR
4.5 Licensing
4.1 Data Protection
4.2 Confidentiality and Consent
A publisher as collector
sharing usage data with
client institutions.
An institution sharing data
with regulators or funders;
e.g. HESA, REF.
10
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
UC6
Institution as
Collector
releasing its data
publicly as Open
Data.
EDINA releasing OpenURL
Resolver data.
4.1 Data Protection
4.2 Confidentiality and Consent
4.4 IPR
4.5 Licensing
4. Legal Considerations
Legal considerations associated with activity data (and the associated ethical and risk considerations) can be categorized
under the following headings:





Data Protection
Confidentiality and Consent
Freedom of Information
Intellectual Property Rights
Licensing for Reuse
4.1 DATA PROTECTION ACT (DPA)
Compliance with the Data Protection Act (“DPA”) is a requirement for organisations involved in processing personal
information including information associated with identifiable living individuals. Activity data may be classed as personal
information if it can be associated with an identifiable individual.
What makes a difference under the law?
Does the information relate to an identifiable, living, individual?
Data Protection law only applies to information relating to an identifiable living individual. Activity data will therefore escape
the DPA’s provisions if it is collected anonymously. The Information Commissioner has recently produced a draft
anonymisation code of practice (available at http://www.ico.gov.uk/news/latest_news/2012/ico-consults-on-new-anonymisationcode-of-practice-31052012.aspx ). So, for example, where activity data relates to an IP address, unless there is a record of the
individual user allocated that particular IP address at that time, the use of the data will not be subject to the DPA.
Who is the data controller?
The law makes the ‘data controller’ primarily responsible for compliance with the Act. The data controller is the person or
organisation that lays down the purposes for which the data is going to be used. This may or may not be the same person
as the one that collects the data. Anyone who processes the data (including collecting it, calculating or amending it, or
transferring it to someone else) is a “data processor” in law. The data controller must ensure that the data processors
chosen to process the personal data abides by their DPA duties and obligations.
11
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
What must the data controller ensure?
The data controller must ensure that use of the personal data is fair and lawful. That means that the ‘data subject’ (the
person about whom the data relates) must be informed as to the purpose of collecting the data, and that processing of the
data must be done under one of the justifications listed in Schedule 2 of the Act (usually that consent has been given, that
the data is required to fulfil a contractual obligation to the data subject, or that processing is in the legitimate interests of the
data controller). In addition, there must be compliance with the other ‘principles’ listed in Schedule 1 – that the data is only
used for the purpose notified, that where necessary it is kept up-to-date and accurate, and that it is dealt with using security
measures (technical and organisational) appropriate to the sensitivity of the data. Other obligations are that the data shall be
accurate, and that the data controller must respond to any requests by the data subject to inspect the data held about them.
What happens if the data is anonymised or aggregated?
As long as a living individual cannot be identified from the remaining data, it ceases to be personal data, and the provision s
of the DPA no longer apply. However, it is essential to bear in mind that anonymisation and even aggregation does not
necessarily prevent identification, notably in cases where the unit of aggregation involves small numbers of data items – for
example, courses with small numbers or resources that are rarely borrowed, or residences with few occupants. This matters
because the apparently anonymised data may implicitly or indirectly point to a single individual – for example, borrowers of a
large print version of a text on a small Masters course.
Would a complaint about personal identification in aggregated data be upheld in law?
If the individual can be identified from this data and the act cannot be justifiably carried out under one of the justifications
listed in Schedule 2 of the Act then this might be a potential breach of the DPA. In addition, there must be compliance with
the other ‘principles’ listed in Schedule 1 – that the data is only used for the purpose notified, that it is kept up-to-date and
accurate, and that it is dealt with under security measures (technical and organisational) appropriate to the sensitivity of the
data. There is no legal objection as such to personal data being processed – the DPA is not a privacy law. The DPA simply
provides the framework for circumstances when personal data can be lawfully processed. Therefore, as long as the DPA
rules are followed, an individual has no grounds for complaint that their identity can be deduced within a mass of aggregated
data. Of course, if it turns out that the personal data breaches some aspect of the DPA, then the individual has grounds for
complaint.
What about forthcoming European rules?
In January 2012, the European Commission proposed a comprehensive reform of the EU's 1995 data protection rules “to
strengthen online privacy rights and boost Europe's digital economy”, recognising that “technological progress and
globalisation have profoundly changed the way our data is collected, accessed and used.” The proposed reforms cover a
broad set of emerging data protection challenges, not least raised by social networks, including the “right to be forgotten”
(i.e. notwithstanding obligations under the law, to have attributable personal data taken down), and data portability. We
should however bear in mind that this is only at a formative stage at EU level, facing the challenge of addressing the widely
varied interpretation of the current 1995 rules across the 27 member states, and then the downstream hurdle of incorporation
into UK law, so it is not a current consideration or risk.
Further reading about this topic can be found here:
Data Protection Guidance produced by the Information Commissioner’s Office
http://www.ico.gov.uk/for_organisations/data_protection.aspx
12
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
JISC Legal Personal Data and Consent Management Paper
http://www.jisclegal.ac.uk/Projects/ConsentManagement.aspx
4.2 CONFIDENTIALITY AND CONSENT MANAGEMENT
In UK law there exists a 'duty of confidentiality'. Because it was developed through case law, it is difficult to make clear-cut
interpretations.
In some circumstances, the law relating to contracts may apply, and researchers should be aware of this. If an explicit
statement of agreement has been made on the extent of the confidentiality to be afforded to the provider of the information
(e.g., in a consent form), this may constitute a contract. Disclosure of information subject to such a confidentiality agreement
would constitute a breach of confidentiality and possibly a breach of contract. A duty of confidentiality can also arise without
an explicit statement of this kind. It may be established in situations where information is sensitive, for example medical
details, and when it has been supplied in circumstances in which the recipient might reasonably suppose it to be confidential.
Further reading about this topic can be found here:
JISC Legal Personal Data and Consent Management Paper
http://www.jisclegal.ac.uk/Projects/ConsentManagement.aspx
4.3 FREEDOM OF INFORMATION (FOI)
Universities and colleges need to prepare themselves for external requests for their activity data and information about thei r
activity data in accordance with their responsibilities as outlined within the Freedom of Information Act.
What are the implications in practice?
Could a justifiable request be made for the supply of activity and other like data collected for
analytical purposes?
Under Freedom of Information legislation, any third party is entitled to make such a request. The response must be made in
such a manner that no personal data is disclosed.
Bearing in mind the potential scale of such data, would an F oI request need to be specific
regarding period and category?
No, it does not have to be. There are circumstances where the recipient of an FoI request can refuse to answer a request if
it considers the request to be unreasonably broad or deliberately vexatious, but the requestor is then entitled to complain t o
the Information Commissioner’s office about the refusal, and the Institution would have to justify its refusal to the ICO.
However, it is common for recipients of FoI requests to encourage requestors to be as specific as possible in their
information needs.
13
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Bearing in mind the opaque nature of t his type of highly codified data, would an F oI response
require a reporting format that indicated the meaning of the data?
Yes, always. The information supplied must be in a form that the recipient can understand it. This can be achieved, for
example, by an accompanying document explaining the codes used, or an invitation to the requestor to come in and discuss
the contents with someone who can explain their significance.
Further reading about this topic can be found here:
JISC Legal Information on FoI
http://www.jisclegal.ac.uk/LegalAreas/FreedomofInformation.aspx
4.4
INTELLECTUAL PROPERTY RIGHTS (IPR)
Although raw activity data is unlikely to attract copyright, a type of IPR, collations of such data may attract database rights,
another type of IPR, which can restrict uses of substantial amounts of this data; enhanced activity data may itself be in
copyright and may well enjoy database rights as well. In this case, it is important to understand:
 If there is any IPR, and if so, what type(s)?
 Who might own it?
 If any part of the data is owned by a third party under what terms can it be accessed, used or repurposed?
Typically, since the institution has collected (and maybe enhanced) the data, it is the owner of any IPR in that data.
Notwithstanding IPR, the institution is also subject to the DPA. One key feature of the DPA is the right of an individual to
have inaccurate data about them blocked or deleted, and this right over-rides any IPR ownership that the institution may
happen to have over the data.
However, as noted earlier, as long as the personal data is created and processed in accordance with the DPA, the individual
cannot object to its mere presence in the database. Under the DPA, any individual is entitled to receive a copy of the data
pertaining to them, but if they do obtain a copy of such data, they should be aware that any IPR remains with the institution ,
so the individual might not be able to further reproduce or disseminate the data.
However, we might predict increasing interest in the value of activity data to the individual, especially if it becomes porta ble
across personal and lifelong learning systems and wider social services such as recommenders. This is likely to raise issues
regarding user rights to ‘take away’ their own data and on the other hand regarding any ‘enhanced’ data that may not be
theirs to take, but which provides vital context to their data. Assuming IPR issues are surmountable, there will also be
licensing choices as introduced below.
Further reading about this topic can be found here:
JISC Legal Information on IPR
http://www.jisclegal.ac.uk/LegalAreas/CopyrightIPR.aspx
Web2Rights project
www.web2rights.org.uk
14
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Strategic Content Alliance IPR and Licensing Toolkit
www.web2rights.com/SCAIPRModule
http://sca.jiscinvolve.org/wp/allpublications/ipr-publications/
OER IPR Support Project
www.web2rights.com/OERIPRSupport
4.5 LICENSING FOR REUSE
The choice of data licences for facilitating reuse of anonymised activity data needs to take into account several key issues.
Organisations need to balance their choice of reuse licences with their approach to “openness” and interoperability; any
possible third party rights issues and ensuing risks. They also need to consider their obligations under the Re -Use of Public
Sector Information Regulations, which, whilst currently not applying to educational establishments, are likely to be a mended
in the next couple of years.
Further resources about this topic can be found here:
Licensing Open Data: A Practical Guide
http://discovery.ac.uk/files/pdf/Licensing_Open_Data_A_Practical_Guide.pdf
Open Bibliographic Data Guide
http://obd.jisc.ac.uk/
Exploiting Activity Data
http://www.activitydata.org/index.html
Licensing compatibility
http://www.youtube.com/watch?feature=player_embedded&v=5BWqgVpcHCs
Re-Use of Public Sector Information Regulations
http://www.legislation.gov.uk/uksi/2005/1515/contents/made
4.6 LEGAL CONSIDERATIONS AT A GLANCE
The following tables summarise the key legal and ethical considerations.
Table 1 summarises these legal issue with reference to the main pieces of legislation and the related ethical issues.
15
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Table 2 summarises the types of consequent risks associated with generating, using and sharing activity data and the types
of actions that institutions might implement to mitigate such risks.
Table 1 - Legal Details and Ethical Implications
Issue
Legal Details
Ethical Implications
Data Protection
Data Protection Act 1998 [3].
Collection and Distribution; accuracy of data;
right to view one’s own data.
Consent.
Freedom of
Information
Freedom of Information Act 2000 [4].
The FoI Act does not permit passing of personal
data, so there are no privacy threats.
Intellectual
Property Rights
Copyright [5].
Rights to my own data and the ability to access it
for my own use.
Database Rights [6].
Licensing
Customised data licences:
Open Data Commons Licences [7].
Creative Commons Licences [8].
Open Government Licence [9].
Access to, control and reuse of my own data lifetime portability.
Lifespan and validity of use.
Principles of reuse.
Table 2 - Risks and Mitigations
Issue
Risks
Mitigating Activities
Data Protection
Registration..
Data governance - developing clear organisational
policies and procedures.
Responsibility..
Establishing organisational appetite for risk.
Consent explicitly dealt with on opt in and / or opt out
basis (below).
Consent management..
Setting thresholds for group sizes (e.g. smaller than 20
represents higher risk).
Anonymity and traceability.
Freedom of
Information
Number and level of requests.
Intellectual
Complexity.
Developing clear organisational procedures and policies.
Factoring expense of handling requests into budget.
Allocation of roles and responsibilities outlined in clear
16
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Property Rights
policies and procedures.
Time and budget management.
Seeking third party permissions where possible for any
third party rights.
Seeking permission and extent of any
permissions granted.
Documenting permissions which have been granted in
information management systems.
Understanding who has ‘generated’
activity data and any related terms.
Licensing
Other contractual obligations..
Notice and Take Down Policy and Procedures for
managing contested areas. [10]
Who can the activity data be shared with
and how?
Developing clear policies and procedures relating to
organisational position on “openness”.
Expectation of “openness” and
interoperability vs. potential commercial
concerns.
Ensuring that the data licence which
facilitates sharing of the activity data is
compatible with any third party rights and
obligations associated with the activity
data.
Attribution stacking / lack of attribution.
Establishing where the value lies and considering
developing charged for services around the data.
Understanding licensing as part of a holistic
organisational approach to open licensing and
commercial activities.
Establishing an organisational licensing framework to
help ensure that the selected data licence takes into
account the extent of any permissions granted by third
parties.
Reconciling the need for attribution with optimising the
interoperability of data.
5. Consent - Opt in or opt out?
Sharing personal data across and between institutions and service providers can be complex and will require compliance
with legal responsibilities, particularly the DPA. Institutions need to understand the implications of the creation and
dissemination of personal data, their roles and responsibilities regarding consent management, arising issues associated
with anonymised data as well as the possible role of risk management decisions. A briefing paper by Naomi Korn and
Professor Charles Oppenheim [11] provides more information on this topic as well as: a Risk Assessment Checklist and
Good Practice Recommendations.
5.1 STRATEGIES
In a response to the potential extent of legal and ethical issues that might arise associated with the generation, use and
sharing of activity data, UK universities and colleges need to discuss the merits and potential risks associated with consent
and whether they adopt an opt in and / or opt out of their collection of student and staff activity data.
17
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
There are three plausible strategies that might be adopted:
 Strategy 1 - initial opt in, (e.g. consent given at registration, or at the start of each academic year), still requiring further
explicit opt in consent regarding any changes in policy and / or materials being collected.
 Strategy 2 - initial opt in, (e.g. consent at registration), requiring only opt outs regarding any changes in policy and / or
materials being collected.
 Strategy 3 - initial opt out (e.g. at registration), requiring further opt outs regarding any changes in policy and / or
materials being collected.
Each one may or may not be combined with the option for the individual to change their mind at any time during their
involvement with the institution, or even after it.
5.2 RAMIFICATIONS
In order to comply with the principle of fair and lawful processing, the data controller should seek the consent of the person
about whom data is being collected. The Data Protection Act 1998 does not specify whether opt-in or opt-out is to be used
in any particular circumstances. Instead, it asks the wider question as to whether the user can be said to have given proper,
informed consent. A confusing opt-out tick-box, with little or incomprehensible explanatory information is not likely to be
considered as valid consent. Although an opt-in box is much more likely to be held to be consent, (as it requires a definite,
positive action), the danger is that the user’s inertia means failing to opt-in is a much higher risk.
The ICO has produced guidance on this, available at
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/opt_in_out.aspx .
One exception applies where activity tracking is carried out using cookies. The latest Privacy and Communications
Regulations (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) require prior consent
before cookies are placed on the user’s computer, though the latest ICO guidance allows for implied consent, provided there
is sufficient information about the cookies to be used.
Higher Education and Further Education Examples
The following are examples of an opt-in approach to handling personalised data.
 Trinity College, Cambridge - http://www.trin.cam.ac.uk/show.php?dowid=934
 Homerton College, Cambridge -http://www.homerton.cam.ac.uk/pdf/data_protection_consent.pdf
We have no evidence of F/HE institutions offering an opt-out approach to individuals, though the principle has been adopted
in other contexts.
 By UK government regarding the sale of personal data held in the Edited Electoral Register, which is permitted by law
and presented as the default from which electors can opt-out on registration [12].
 Within the HE shared service supply chain – for example, by EDINA (OpenURL data – see 5.3 below).
18
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
5.3 SHARED SERVICES
A further variant of offering opt-in or opt-out options has been introduced by aggregation services (such as operated by
EDINA and Mimas) and other shared services within the sector – though the same considerations would apply to
aggregations performed outside the sector.
Within the sector, the work undertaken by EDINA, the JISC data centre at the University of Edinburgh, in running the shared
OpenURL Router service and thereby collecting sector-wide activity data relating to e-journal access, provides a clear
example. EDINA collects anonymised data relating to the activity of users from around 100 institutions, which it wishes to
make openly available for analysis. It would be impractical to request permission of each user across the sector. Having
taken legal advice, EDINA therefore gave each institution notice to opt-out of this value-added service, meaning that data
from its users will be excluded. The implication in this cascade is that the institutions will have covered this type of coll ection
and use in general yet adequate terms in their own local consent processes [13].
Beyond education sector boundaries, we should take account of how consumer services deal with multi-partner (shared,
outsourced, etc.) issues relating to personal data and business intelligence. ‘Business to Consumer’ services increasingly
involve extensive partnership arrangements within which personal data is transferred and processed. The education sector is
increasingly involved in comparable arrangements precipitated by outsourcing and franchising. In Section 6, we explore how
operations such as Amazon and Nectar deal with these supply chain requirements.
6. Ethical Dimensions
6.1 CONSIDERATIONS
In an interview with O’Reilly Radar [14] co-author Kord Davis of the forthcoming title ‘Ethics of Big Data: Balancing Risk and
Innovation’ reflected that:
‘Big data itself, like all technology, is ethically neutral. The use of big data, however, is not. While the ethics
involved are abstract concepts, they can have very real-world implications. The goal is to develop better ways
and means to engage in intentional ethical inquiry to inform and align our actions with our values. There are a
significant number of efforts to create a digital “Bill of Rights” for the acceptable use of big d ata. The
challenge is how to honor those values (transparency, security and accountability) in everyday actions as we
go about the business of doing our work.’
In February 2012, the White House unveiled a blueprint for a Consumer Privacy Bill of Rights to protect consumers online
[15]. As the President wrote in his cover letter to the report:
“Never has privacy been more important than today, in the age of the Internet, the World Wide Web and
smart phones. In just the last decade, the Internet has enabled a renewal of direct political engagement by
citizens around the globe and an explosion of commerce and innovation creating jobs of the future. Much of
this innovation is enabled by novel uses of personal information. So, it is incumbent on us to do what we have
done throughout history: apply our timeless privacy values to the new technologies and circumstances of our
times.”
19
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Given the education mission and associated corporate governance responsibilities, broad ethical considerations are crucial
regardless of the compulsion in law. This impacts broad considerations and concerns about the use of personal data, as well
as the specific uses involved in analytics.




Type of data - principles for collection and use.
Education mission - underlying issues of learning management, including social and performance engineering.
Motivation for development of analytics – combination of corporate, individual and general good.
Customer expectation – effective business practice, social data expectations, cultural considerations of a global
customer base.
 Obligation to act – duty of care arising from knowledge and the challenges of student and employee performance
management; this applies to things a student or employee may wish action to be taken on, and equally to things they
may not. For example, a claim by a failed student that the institution should, through analytics, have predicted failure
and therefore taken remedial action.
The following sections compare these considerations to existing models operating in the research, consumer and social
network domains.
6.2 ETHICS AND RESEARCH PRACTICE
The Nuremberg [16], Helsinki [17], and Belmont [18] codes and guidelines provided the foundation of more ethically uniform
research to which stringent rules and consequences for violation were attached. In 1946-47, in order to prosecute Nazi
doctors for the atrocities they committed, a list of ethical guidelines for the conduct of research – the Nuremberg Code –
were developed. The Nuremberg Code consisted of ten basic ethical principles, of which several are of strong relevance
outside medical research and potentially apply to human data collected for analytics.
Nuremberg Code
Analytics in Post-compulsory Education
Relevance
Research participants must
voluntarily consent to
research participation.
Research aims should
contribute to the good of
society.
Research must be based on
sound theory and prior
testing.
Research must avoid
unnecessary physical and
mental suffering.
Experiments can be
conducted only by qualified
persons.
Subjects must be allowed to
discontinue their
participation at any time.
Consent regarded as fundamental.
Strong
relevance
True of learning analytics but more complex in
other areas that relate more explicitly to business
success factors.
Whilst initially experimental, data collection is
underpinned by continuous testing of hypotheses in
search of new narratives and actionable insights.
The application of insights arising from learning
analytics can cause suffering but not the research
itself.
The professionalization of ‘data scientist’ roles in IT
teams and in domains such as teaching and
learning and libraries is an essential aspiration.
Unlike in the consumer world, it is perhaps hard to
opt out and to ensure that your data will not be
collected or used.
Some
relevance
20
Weaker
relevance
Strong
relevance
Strong
relevance
Some
relevance
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
The Nuremberg Guidelines paved the way for the next major initiative designed to promote responsible research with human
subjects, the Helsinki Declaration which lays out basic ethical principles for conducting biomedical research and has been
revised and updated periodically since 1964. It contains the basic ethical elements specified in the Nuremberg Code but then
advances further guidelines specifically designed to address the unique vulnerabilities of human subjects solicited to
participate in clinical research projects. The next set of research ethics guidelines came out in the Belmont Report of 1979
from the US National Commission for the Protection of Human Subjects of Biomedical and Behavioural Research. The
principles developed through these reports included the following:
Helsinki and Belmont
Analytics in Post-compulsory Education
The importance of preserving the
accuracy of research results and
evidence based interpretation.
This is a core aspiration.
The importance of determining
which situations and conditions are
appropriate and safe for research.
Boundaries between practice and
research.
Appropriateness is a hard call though it will
always be a headline consideration.
The principle of respect for
persons, applied through informed
consent.
The principle of beneficence,
applied through assessment of
risks and benefits.
The boundaries between research and
practice are blurred in fast-moving fields such
as learning analytics and recommender
services; whilst there is little scope to conduct
traditional research on a relevant scale, action
research seems to be an essential rolling
component of analytics strategy.
This is fundamental; considerations include
the duty of confidentiality.
Risk assessment and benefits analysis is
suitably engrained in HE operational practice;
however practitioners may have an incomplete
sense of the factors to be considered and also
of the complexity and changing nature of the
social systems in which they intervene.
For further information
American Psychological Association principles and code of ethics
http://www.apa.org/monitor/jan03/principles.aspx
UK Data Archive
21
Relevance
Strong
relevance
Strong
relevance
Weaker
relevance
Strong
relevance
Some
Relevance
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
http://www.data-archive.ac.uk/create-manage/consent-ethics/legal
Institutional Example – University of Manchester
http://www.arts.manchester.ac.uk/postgraduatestudy/ethics/faq/
Does the collection of activity data in education differ from medical or general research?
Research ethics provide a valuable basis for thinking about the issues raised by analytics, with the added advantage of
recognition within the educational community. However, the following table illustrates differences in terms of clarity of
purpose and benefit.
Aspect
Research
Activity Data
Consent
Specific to the research or clinical
episode.
Directed towards an agreed
outcome.
Requires general acceptance that
data will be collected.
May not be explicit, other than use
within broad boundaries relating to
personal benefit and business
improvement.
Corporate (business improvement),
potentially personal (client
experience), rarely sector wide or
global.
Intent
Benefits
Both personal and global.
6.3 BUSINESS AND CONSUMER PRACTICE
Where the collection of data for research purposes is governed by ethical and professional codes above and beyond legal
obligation, the same processes in business are typically concerned simply with the letter of the law.
Clients in Further and Higher Education will typically be familiar with and accepting of (though perhaps not approving of) the
practices of commercial organisations, whether online or on the street, such as retailers, advice and comparison services,
and loyalty schemes.
 Mutuality of some kind is central to the relationship between the data collector and the data subject.
 Business and service improvement is an accepted intent.
 Direct client benefits may not be explicit but ‘scheme benefits’ can be an alternative ‘sweetener’ (e.g. , loyalty points,
membership offers, targeted recommendation, connection through data with a community).
 Consent is required but is typically as open-ended as possible.
 Wider partnership exploitation of the data is notified, sometimes but not always with an opt-out.
 Business are looking for new connections so they are collecting ‘big data’ (e.g., point of sale, click streams); ‘just
enough’ data does not work.
22
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Example - Nectar Card
http://www.nectar.com/help/privacyPolicy.nectar
The privacy policy for the multi-partner Nectar loyalty card is considered in the following table. The clarity is noteworthy:
 This is about mutuality within the law rather than about ethical considerations, though recognised mutuality could be
regarded as a strong ethical underpinning for such activity
 The involvement of named partner organisations is explicit.
 Acceptance of the approach is mandatory to join the scheme and thereby to enjoy the benefits.
Nectar Card Privacy Policy
Relevance to Analytics in
Post-compulsory Education
What information will we use?
This provides a template for
a clear statement that can
be mirrored in the
institutional DPA
registration.
By participating in Nectar, we will collect and use information
about you and any additional collectors within your account.
This information includes your registration details, information
about the use of your Nectar card, shopping purchases and
other information that you give us (together "your
information").
How will your information be used?
Your information may be analysed to see how you use the
Nectar programme, to understand your shopping behaviour
and to send you (and/or additional collectors on your account)
information and offers for the products or services which are
most likely to interest you. You agree to receive these
communications in order to enjoy the benefits of participating
in Nectar.
Who will we share your information with?
We will only share your information within the Nectar group
and with companies participating in Nectar and their group
companies. A list of Nectar participating companies is
available at http://www.nectar.com/about-nectar/legal/participating-
The intent and a degree of
mutuality is explicit.
There is a clear mechanism
for acknowledging partners
which could cover shared
service, data centres and
other outsourced services.
companies.points.
Links with Facebook are explicitly handled:
http://www.nectar.com/about-nectar/legal/facebook.points
By linking your Facebook account with your Nectar account,
you agree to Nectar having access to and holding in
accordance with Nectar's privacy policy: your Facebook 'basic
information' (your Facebook user name, profile picture,
gender, networks, user ID, list of Facebook friends and
anything you have made public on Facebook); your email
address held by Facebook; and information on what you 'like'
on Facebook.
23
Recognition of the web of
data sharing connections
may be more problematic in
education where initiatives
may be system (e.g. VLE)
or faculty specific; this
raises data governance
issues that would be less
likely in a Business to
Consumer (B2C) setting.
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Example – Amazon.co.uk
Amazon UK also provides clear explanations about consent, security, the information collected (including the use of
cookies), the involvement of third parties and the user’s ability to access information about them (which only includes data
directly entered, rather than tracking data).
The presentation of this policy information at http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=502584 offers a
strong exemplar in terms of clarity and completeness (at least in the areas covered), as illustrated in the following screen
image. The quality of explanation in itself may be argued to represent an ethical constructive approach.
Does the collection of activity data in educat ion differ from good practice in the business to
consumer world ?
The practice adopted by leading business to consumer players provides a clear and legally grounded approach that is likely
to be readily understood by the public in much of the world. In particular, the development of a sense of mutual gain,
recognised and shared by a service organisation and its customers, is something to be learned from such as Amazon and
Nectar.
24
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
Aspect
Consent
Intent
Benefits
Business to Consumer
Education
General acceptance through broad
based consent at registration; covering
cookies and often providing clear
exemplification.
To improve the business and its
services.
Compatible with the B2C approach;
there are lessons to learn from the
level of explanation supporting the
consent process.
Compatible with the B2C approach;
whilst institutions way wish to be
more expansive about benefits, this
is not necessary and may carry risk.
Whilst institutions may not be able to
link loyalty schemes to activities such
as learning analytics data collection,
the core sense of mutuality is very
strong.
Typically linked to service
improvement and / or loyalty schemes.
From a broader UK society and government perspective, it is noteworthy that the data on the edited version of Electoral
Register is available for purchase by law, now on an opt-out basis.
6.4 BRAVE NEW WORLD
It is suggested by some commentators that there is an imperative to review and even to revise ethical considerations on
account of the increasingly widespread adoption and acceptance of:
 Online enquiry (e.g. comparison sites) and shopping with associated activity-based feedback loops.
 Social networking with its openness to making connections.
 Provision of preferences and automated use of activity data to filter information in order to save time.
Commentators such as Danish ‘digital strategist’ Peter Svarre [19] suggest new norms that arguably require a
reinterpretation of our reservations, if not our ethical position. Svarre’s presentation at the November 2011 OnTracks
conference encapsulates this position [20].
This ‘brave new world’ perspective is based on the assumptions that;
 Successive generations of internet users are time poor whilst wishing to leverage an opportunity rich digital ecosystem.
 The ‘born social’ generation (one step beyond simply ‘born digital’) are positively accepting of the pros and cons of
online identity and of such as automated association with ‘people like me’.
 There is therefore a will, even a presumption of necessity, to trade privacy for other benefits within the new social
economy.
An opposing position is taken up by Andrew Keen in ‘Digital Vertigo’ (subtitled ‘How today’s online social revolution is
dividing, diminishing and disorienting us’). Keen presents an ethical crisis precipitated by the digital revolution, warning of the
danger of ‘collective self-destruction’, including the loss of the rights privacy, autonomy and therefore liberty:
But the problem is that, by so radically socializing today’s digital revolution, we are, as a species, collectively
jumping off a cliff. And if we fail to build a networked society that protects the rights to individual privacy and
25
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
autonomy in the face of today’s cult of the social, we can’t ... launch a new company. Society isn’t just
another start-up – which is why we can’t entirely trust Silicon Valley entrepreneurs like Hoffman or Stone with
our future. Failing to properly assemble the social media airplane … means jeopardizing those precious rights
to individual privacy, secrecy and, yes, the liberty that individuals have won over the last millennium.
More generally, a number of distinguished authors such as Jaron Lanier (‘You are not a Gadget: a Manifesto’), Eli Pariser
(‘The Filter Bubble: what the Internet is hiding from you’) and Evgeny Morozov (‘The Net Delusion: How not to liberate the
world’) have pointed to the personal and societal downsides of an online data-driven culture.
The position presented by Keen, speaks deeper to the human condition and a Jeffersonian protection of inalienable rights
than more immediate considerations of consent, the client comfort zone or the value of lifelong personal data ownership.
Even if we regard Keen’s position as alarmist, institutions will be aware of challenges presented by the attitudes of some
supply chain partners in their attitudes to the collection of such as activity data, which seems far from benign or collaborative.
The barriers erected by publishers (e.g. resistance to sharing publicly article level access data) are a recurrent but far from
isolated example.
6.5 DOES DOMAIN OR APPLICATION MAKE A DIFFERENCE?
There is danger in assuming that ethical considerations are universal and therefore promoting the transferability of norms
across cultural and domain boundaries – in this case adopting the norms established about the use of personal data for
analytical purposes in other domains as explored above (research, consumer services and social networks).
In ‘Between Facts and Norms: Contributions to a Discourse Theory of Law and Democracy’ [21], political philosopher Jurgen
Habermas argues that in a modern pluralist culture normative issues should be separated from issues of the good life. Only
when various ethical traditions come into conflict with one another, as they inevitably do in a modern pluralist culture, do
normative issues arise that have implications for everyone.
It is argued therefore that ethical norms are defined by discourse in particular communities of practice. For example, the
public now has a general understanding of these such that when they come across medical research they know what to
expect, and equally know that B2C services have a different ethical stance, whilst both operate within the law. Meanwhile
new fields of activity such as education analytics lack convention and operationalisation of ethical principles, understanding
about what is actually going on and where the line is drawn in grey areas and perhaps also the defining stereotypes that
catalyse norms, as witnessed at Nuremberg.
So the challenge is whether the education community, not least in the emerging field of learning analytics, should revise its
ethical position on account of the widespread changes of attitude in the digital realm from which learners and researchers
are increasingly drawn. At the very least, even if ethical norms are not immutable, their current application in terms of selfevident good practice provides candidates for adoption regardless of context. This is exemplified in the norms of medical and
research ethics and B2C services introduced above.
Finally, regarding the development of norms, we may need to distinguish between differing uses of analytical data within the
core educational mission, taking care to assess whether the same principles and practice apply to the different applications.
Consider, for example, the different classes of teaching and learning application set out in the April 2012 US Department of
Education learning analytics report [22]:
26
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
 The report identifies purposes directly geared to benefit the close-to-real-time learner experience: user profiling,
adaptation and personalisation, user knowledge and behaviour modelling, and user experience modelling.
 It also highlights systemic or process improvement purposes to which the same analytical data can be applied: domain
modelling, learning system component analysis, instructional principle analysis, and trend analysis.
6.6 GUIDING PRINCIPLES
As Voltaire’s Candide might have reflected, we are faced with the imperative to seek out the ‘best of all possible worlds’:
 In assuring educational benefits, not least supporting student progression, maximising employment prospects and
enabling personalised learning (i.e. in the specific domain of learning analytics), it is incumbent on institutions to adopt
key principles from the research ethics, as enumerated in 4.1 above.
 As businesses, post-compulsory educational institutions are facing the same business drivers and globalised
competitive pressures as any organisation in the consumer world, as exemplified in 4.2 above.
 To satisfy expectations of the born digital / born social generations, there is a likely requirement to take on new
ethical considerations, which may run contrary to the sensibilities of previous generations, especially in respect of the
trade-off between privacy (as opposed to confidentiality) and service, as examined in 5.3 above. Furthermore we might
anticipate these expectations to be sharpened by increased fees.
We suggest that there are common principles that provide for good practice above the level of these apparent conflicts:
 Clarity – definition of purpose, scope and boundaries, even if that has to recognise it is broad and in some respects
open-ended.
 Comfort and care – consideration for both the interests and the feelings of the data subject and vigilance regarding
exceptional cases (for example, regarding alleged infringement of privacy or unsolicited advice).
 Choice and consent – opportunity to opt-out / opt-in and to withdraw (which may involve withdrawing from the wider
entity, such as the university).
 Consequence and complaint – recognition that there may be unforeseen consequences arising from handling of such
data and therefore providing mechanisms for complaint and take-down.
27
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
7. References
1. http://www.jisc.ac.uk/blog/no-such-thing-as-a-free-mooc/
2. http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
3. http://www.legislation.gov.uk/ukpga/1998/29/contents
4. http://www.legislation.gov.uk/ukpga/2000/36/contents
5. http://www.ipo.gov.uk/cdpact1988.pdf
6. http://www.ipo.gov.uk/cdpact1988.pdf
7. http://opendatacommons.org/
8. www.creativecommons.org
9. www.nationalarchives.gov.uk/doc/open-government-licence/
10. http://sca.jiscinvolve.org/wp/portfolio-items/briefing-paper-on-managing-orphan-works-2/ and
http://sca.jiscinvolve.org/wp/portfolio-items/template-notice-and-take-down-policy-and-procedure/
11.http://www.jisclegal.ac.uk/Portals/12/161111%20Consent%20Management%20Briefing%20Paper.pdf . This paper is based on a
more comprehensive report by JISC Legal “Consent Management: Handling Personalisation Data Lawfully” http://www.jisclegal.ac.uk/Themes/IdentityManagement.aspx
12. http://www.ico.gov.uk/for_the_public/topic_specific_guides/electoral_register.aspx
13. The investigation undertaken by the University of Edinburgh is covered at
http://edina.ac.uk/projects/Using_OpenURL_Activity_Data_Initial_Investigation_2011.pdf
14. http://radar.oreilly.com/2012/06/ethics-big-data-business-decisions.html
15. http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
16. http://en.wikipedia.org/wiki/Nuremberg_Code
17. http://en.wikipedia.org/wiki/Declaration_of_Helsinki
18. http://en.wikipedia.org/wiki/Belmont_Report
19. http://www.petersvarre.dk/
28
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
20. http://ontracks.dk/
21. http://mitpress.mit.edu/catalog/item/default.asp?ttype=2&tid=8386
22. http://evidenceframework.org/wp-content/uploads/2012/04/EDM-LA-Brief-Draft_4_10_12c.pdf
About the Author
David Kay is a senior consultant at Sero Consulting Ltd ( http://www.sero.co.uk ). He joined Sero in 2004 after over 20 years
involvement in the design and development of IT systems for education and library management and for learner support.
David began investigating the potential of activity data and resulting analytics in connection with Higher Education librarie s in
the 2009 JISC TILE project, working with Mark van Harmelen (Hedtek) and Ken Chad. He has subsequently been involved
in JISC’s further examination of those concepts in the MOSAIC demonstrator project and in the University of Manchester
synthesis of the 2011 Activity Data programme (http://activitydata.org ).
CETIS Analytics Series
Vol.1 No.1. Analytics, What is Changing and Why does it Matter?
Vol.1 No.2. Analytics for the Whole Institution; Balancing Strategy and Tactics
Vol.1 No.3. Analytics for Learning and Teaching
Vol.1 No.4. Analytics for Understanding Research
Vol.1 No.5.What is Analytics? Definition and Essential Characteristics
Vol.1 No.6. Legal, Risk and Ethical Aspects of Analytics in Higher Education
Vol.1 No.7. A Framework of Characteristics for Analytics
Vol.1 No.8. Institutional Readiness for Analytics
Vol.1 No.9. A Brief History of Analytics
Vol.1 No.10. The Implications of Analytics for Teaching Practice in Higher Education
Vol.1 No.11.Infrastructure and Tools for Analytics
http://publications.cetis.ac.uk/c/analytics
Acknowledgements
The CETIS Analytics Series was commissioned by Myles Danson (JISC programme manager) to give an overview of current
thinking around analytics in post-16 education in the UK. In addition to the authors the following people have contributed to
the production of the CETIS Analytics Series; Lorna Campbell (CETIS), Adam Cooper (CETIS), Rob Englebright (JISC), Neil
Jacobs (JISC), Sheila MacNeill (CETIS) and Christina Smart (CETIS). Design and Artwork by: http://www.consul4design.com
29
JISC CETIS Analytics Series: Vol.1 No.6 Legal, Risk and Ethical Aspects and Analytics
About this White Paper
Title: Vol.1 No.6.: Legal, Risk and Ethical Aspects of Analytics in Higher Education
Authors: David Kay (Sero Consulting), Naomi Korn and Professor Charles Oppenheim
Date: November 2012
URI: http://publications.cetis.ac.uk/2012/500
ISSN 2051-9214
Text Copyright © 2012 Sero Consulting
This work is licensed under the Creative Commons Attribution 3.0 UK Licence.
For more information on the JISC CETIS publication policy see
http://wiki.cetis.ac.uk/JISC_CETIS_Publication_Policy
Published by The University of Bolton
About CETIS
CETIS are globally recognised as leading experts on interoperability and technology standards in learning, education and
training. We work with our clients and partners to develop policy and strategy, providing impartial and independent advic e on
technology and standards. CETIS are active in the development and implementation of open standards and represent our
clients in national, European and global standards bodies and industry consortia, and have been instrumental in developing
and promoting the adoption of technology and standards for course advertising, open education resources, asse ssment, and
student data management, opening new markets and creating opportunities for innovation.
For more information visit our website: http://jisc.cetis.ac.uk/
The Analytics Series has been produced by CETIS for JISC: http://www.jisc.ac.uk/
30